[MSEC] weis-esp-group-counter, was MSEC status update (fwd)
gmgietf@identaware.com Mon, 05 February 2007 18:32 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE8dH-0007rf-NX; Mon, 05 Feb 2007 13:32:03 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE8dG-0007rZ-Td for msec@ietf.org; Mon, 05 Feb 2007 13:32:02 -0500
Received: from lvs00-fl-n04.ftl.affinity.com ([216.219.253.138]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HE8dF-0001QX-KG for msec@ietf.org; Mon, 05 Feb 2007 13:32:02 -0500
Received: ("??"@ams004.ftl.affinity.com) by ams004.ftl.affinity.com id S373524AbXBESa1 for <msec@ietf.org>; Mon, 5 Feb 2007 13:30:27 -0500
From: gmgietf@identaware.com
To: msec@ietf.org
Date: Mon, 05 Feb 2007 13:30:27 -0500
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <S373524AbXBESa1/20070205183027Z+1280@ams004.ftl.affinity.com>
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: gmgross@identaware.com
Subject: [MSEC] weis-esp-group-counter, was MSEC status update (fwd)
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
Errors-To: msec-bounces@ietf.org
Hi Brian and Lakshminath,
<snip>
> V.
> New work (to be adopted after asking for group's opinion):
<snip>
> draft-weis-esp-group-counter-cipher-00: Ditto.
I do not have a strong objection to this draft being adopted as a MSEC
working group item. However, there are several questions (problems?) that I
wondered about when I did a quick superficial review of this draft.
1) A fundamental problem is nonce or IV re-use, as recently discussed at
length on CFRG. Wei Dai posted an good summary of those discussions and what
to do about this problem about a week ago. I would suggest that this draft
should include that guidance in its security considerations. That said, I
suspect the risk of compromise is magnified in direct proportion to the size
of the group membership. Instead of two endpoints, there are "N" endpoints
that could accidently re-use a {SID, SSIV} pair, and this needs to be
emphasized by this draft. There were about two dozen CFRG e-mail exchanges
about random number generation, counter management, virtual machine
interactions, and re-boot scenarios. At the least, the Sender-Specific IV
(SSIV) field must be saved in a non-volatile storage after each use to avoid
the scenario where a re-boot causes accidental {SID, SSIV} re-use. That way
if a member re-boots then re-joins the same group, then it MUST also restart
its SSIV at the last value used plus one. This is only one example. There
are other cases mentioned by CFRG that need documentation. Perhaps the SID
and SSIV must be qualified by a third field assigned by the GCKS, a
"registration instance" counter?
2) A second problem is the inability to scale to large groups because the
per sender state that receivers must maintain to enforce anti-replay
services. The draft does not mention anti-replay service or how it interacts
in this multi-sender group scenario. The draft must state that anti-replay
service is not recommended, or else explain how it is done such that it
scales to a large group.
3) The draft as written assumes that there is only a single cryptographic
group and a single omnipotent GCKS. It seems to preclude any easy extension
or accommodation for composite groups or distributed S-GCKS operations. In
particular, the requirements in section 4 could be a source of complexity.
Is an endpoint always required to interact with the same S-GCKS? Are all
S-GCKS expected to know the SID of every potential group member?
4) The assertion made in section 6, the Security Considerations, that the
security is equivalent to that of a single sender is not true and should be
replaced with text along the lines described above.
hth,
George
_______________________________________________
MSEC mailing list
MSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/msec